Description
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
References (5)
Core 5
Core References
Issue Tracking, Third Party Advisory, VDB Entry x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1484111
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2904
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2905
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2906
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101601
Scores
CVSS v3
7.5
EPSS
0.0059
EPSS Percentile
69.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-613
Status
published
Products (5)
keycloak/keycloak
org.keycloak/keycloak-parent
0 - 3.4.0Maven
Red Hat, Inc./keycloak
3.4.0
redhat/single_sign_on
7.0
redhat/single_sign_on
7.1
Published
Oct 26, 2017
Tracked Since
Feb 18, 2026